Linux – FTP and Apache permission issues

apache-2.2file-permissionsftplinux

Im having issues as to which user should own my www directory – ftp or apache?
When set to the ftp user, the user can add, remoe and easily modify files but php file system actions generate permission denied errors (ofcourse because they require the user to be apache). If however, the www directory is chown to apache, the ftpuser wont be able to perform some actions like file modification and deletion.
Any one ever encountered similar issue? What's the fix?
Thanks

Best Answer

This is what groups are for.

You can add the ftp user to the apache group, and vice-versa. Or, even better, you could add them to a third group that you create specifically for this purpose.

e.g.

# groupadd mygroup
# useradd -G mygroup ftp
# useradd -G mygroup apache
# chown -R :mygroup /var/www
# chmod -R g+rw /var/www

Those commands do the following:

Creates new group 'mygroup'
Adds ftp user to mygroup
Adds apache user to mygroup
Recursively grants group ownership to contents of /var/www/ to mygroup
Recursively grants group read & write perms to contents of /var/www/

You just need to make sure that files added in the future belong to the 'mygroup' group and have the appropriate permissions for both apache and ftp to read/write them.

Related Solutions

CentOS / Redhat: Give file permission for apache and vsftp

CentOS 5.5 should have filesystem ACLs on by default, just use setfacl to give 'ftpuser' the rights:

setfacl -R -m u:ftpuser:rwx /var/www/myWebApp

See the man page for setfacl/getfacl if you've never used them before.

Linux – Issues with VSFTPD / FTP on Linux Ubuntu server – Steps for Troubleshooting

So here's the INPUT portion of your iptables configuration.

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

HERE^

ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ftp state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED

The line that i highlighted with the REJECT is denying all inbound connections. The rules you put at the bottom to permit ftp & ftp-data are never firing. Nor are the ufw- rules.

I'm not an ubuntu person and I don't have a box handy to look at, but it's likely your init script that handles your firewall is hardcoding the first few rules, and then the place where you added your config is happening later in the boot sequence.

Best Answer

Related Solutions

CentOS / Redhat: Give file permission for apache and vsftp

Linux – Issues with VSFTPD / FTP on Linux Ubuntu server – Steps for Troubleshooting

Related Topic